Hello everyone, On Wed, 4 Sept 2024 at 12:47, Emilio Pozuelo Monfort <po...@debian.org> wrote: > One issue I see with using not-affected for this is that not-affected > effectively marks all older versions as that. However, in this case, a source > could be affected (e.g. in bookworm) and then in sid we've stopped building > the > affected files. If we mark sid as not-affected, then all older suites would be > marked as such too, which would be wrong/confusing. Perhaps in situations like > that, we could mark the sid version as fixed in x.y version, leaving the older > suites open until they are triaged (fix released, or marked as no-dsa etc).
I think that's sensible, if a more complete solution is needed for this use case, we could change the parsing logic to allow this to happen as well. > In general though, I think this is sensible. Thank you Emilio, 2 months have passed since my last email, so I would like to ping the security team for feedback on this. To confirm the expectations from this change, I've recently scanned a debian minimal image for CVEs and found out: 18 out of 67 affected packages/CVE are false positives due to this issue, this represents 26% of false-positives 7 out out 33 unique affecting CVEs are false positives due to this issue, this represents 21% of false-positives. Depending on whether you care more about unique affecting CVE IDs or affected packages (a single CVE can affect multiple packages), the number of false-positives is either 21% or 26%. I'm using a container just as a sampling source here, it is a specially good way of sampling this because a lot of important and highly downloaded docker containers are based on the Debian images. Take the two most downloaded container images from dockerhub as an example: memcached and nginx. Memcached was pulled 12,377,951,846 times and nginx 12,035,807,525. Both of them are based on Debian, the impact of false-positives is considerable. One of the false-positives is a specially interesting case: https://security-tracker.debian.org/tracker/CVE-2019-19882Quoting a part of it: > shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, > and Void Linux, allows local... That's a CVE which was created for Gentoo, Arch Linux, and Void Linux. They have all fixed this already, but Debian ends up "stuck" with it, we report ourselves as affected for something we can't fix. While the affected distros fixed it and the other non-affected distros marked as not-affected, we are the only ones still left with the CVE. Regards, -- Samuel Henrique <samueloph>
